Did the 2006 Symantec Breach Expose RSA's SecurID?

Author's note: This article is based on significant speculation on my part. I am writing this reluctantly as I had expected others more directly involved in the industry to have raised the issues I'm about to given its gravity.

This is an invitation for both Symantec and EMC to clarify whether or not any of the code contained in public leaks of Symantec source code has been remediated in order to protect current customers since I see it as a liability for EMC's RSA division unless there's a valid explanation for what I've discovered, and that I'm wrong about the potential impact.

I sure hope so.

There are, to my mind, some serious concerns that the Symantec leak could pose a risk to RSA's "SecurID" product, but only EMC can set people's minds at ease. That is the purpose of this article.

I've been involved in the Symantec story since it first appeared here on Infosec Island after "Yamatough" contacted our publication with reputed source code for numerous Symantec products.

In my capacity as a coder and antimalware researcher, I was asked to independently download and examine the contents of Symantec code which was publicly available, including snippets of code released in early January, as well as the Norton Utilities source code released on January 13.

In both cases, after reviewing various portions of the source code in question and my awareness of major changes to the Windows operating system since 2006, it was my determination that the majority of source code was rendered largely obsolete and inert as the result of both 64 bit versions of Windows as well as changes required for Vista and therefore unlikely to have remained intact currently.

This past Tuesday, source code for PCAnywhere was released and as before, I downloaded the torrent and examined some of its contents.

The PCAnywhere code was of a similar vintage, however there was evidence here of code created for both 64 bits as well as Vista which meant that it's entirely possible that much of this code might still be in use in current versions of the PCAnywhere product.

Symantec also acted to patch PCAnywhere quickly after the announcement of the potential release of the source code which suggests to me that there were indeed pieces of the 2006 source code still in use in their current product.

We can assume therefore that Symantec took reasonable steps to redesign these portions of code in their patch updates which would likely render vulnerable portions of their own code safe to use as they indicated in communications to their customers. I'll take them at their word that they have.

However, further examination of the source code for PCAnywhere turned up something that is disturbing to me at least and is the basis for the questions I'm raising in this article.

The source code which fell into the hands of "Yamatough" contains numerous header files and several libraries belonging to RSA, and indeed SecurID code is a part of the PCAnywhere product contained in the purloined source code.

(click image to enlarge)

What is particularly interesting about the files in the source is that Symantec clearly removed all of the code pertaining to the Windows version of RSA's sources and libraries, leaving numerous directories for Windows RSA code empty, yet the directories intact. But they left in Linux headers and libraries designed to be compiled against "RedHat 7" Linux and therein is what I see as a risk to EMC's RSA product.

I did not make the effort to examine the code fully, but did examine a good number of various header declarations through several files and they appear to be sufficiently complete to compile malware against RSA's library code contained in Symantec's sources.

(click images to enlarge)

It should be noted that the files in question date back to May of 2003, but RSA's encryption dates back into 1999 and is likely to be sufficiently valid enough to abuse today. The document named "RSA SecurID Ready Implementation Guide.doc" is harmless and is intended to explain to Symantec users how to configure the SecurID components inside PCAnywhere.

It is those header files and more significantly the "libbsafe.a" library which is of concern here since ".a" files are compiled, but not linked which would make them linkable to any code including potential malware. And the headers would provide the information necessary to call into this library file for anyone who linked the headers and library to their code.

I did not attempt to discover what is actually inside the "libbsafe.a" library nor attempt to reverse engineer the library because there are legal issues in doing so that I did not want to step in. So perhaps Symantec and/or EMC can tell us what that library is actually about.

And given the RSA break in last year to obtain valid "keys" to use to infiltrate so many government and corporate systems using SecurID, I can't help but wondering if this code was stolen back in 2006 or thereabouts, could this possibly be the reason why the attackers had such widespread success?

Having the source code headers for the libbsafe library would certainly give them everything they'd need as long as they could gather enough keys to figure out the rest of the algorithm given the sources in my estimation.

And while the Windows libraries were absent along with the Windows header files, the Linux header files would still be useful for generating Windows malware and in the ".a" format, the compiled Linux libraries could easily be reverse-engineered in order to reconstruct valid Windows libraries to go along with the headers.

And it is this which gives me a serious case of the willies if I were using SecurID and my utter surprise that these sources could be "out there" in the hands of any untrusted third party, much less script kiddies, for so long without alarms going off immediately from Symantec. And I don't know if EMC was even aware of this.

I seriously believe that the security community deserves some answers, and some better disclosure about what exactly happened here.

My apologies in advance for ruining people's Friday.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.

Krypt3ia
This would not surprise me.. But then again, now, post the RSA hack, people are still using old fobs and not much has happened with regard to RSA coughing up data and really fixing things..

So....

1328900151

Bobby Mann
Ok, you guys have no clue.
First, the code is publicly available code released as part of a development kit. Nobody needs to "analyze" Symantec's implementation of the RSA library as ANYONE can get a hold of this. Do some research before you spout off.
Second point, if you did actually analyze the code as the screenshots show, and you still have this code, you are in possession of STOLEN PROPERTY. This is a crime. Plain and simple. I would advise you to remove the code from your system as law enforcement is now involved. I, personally, would not want to be in possession of anything that could ultimately involve a legal investigation.
But, nice story.

1328905810

Krypt3ia
Bobby, troll much? Sure, the code may be available in escrow elsewhere and frankly my comment was much more about the fact RSA has done squat post their hack than anything to do with this alleged assessment of the YT release.

1328906680

Kevin McAleavey
Hey, Bobby.
Thanks for some idea of what that's about, and hopefully you're correct. It's a pity that so many questions linger though as to how long the code has been "in the wild" and whether or not the crypto is at risk. Since EMC's SDK's are likely disclosed under very tight NDA's with the expectation of being kept secure, I still see this being something that shouldn't be out there for the ne'er-do-wells to have access to. Doesn't take much information to create malware and its presence is of concern nonetheless.

As to the legal aspects, criminal law always comes down to "intent." I've been in the antimalware biz for more than a decade, the "spooks" know who I am, where I live and they even have my phone number. Samples come in all the time containing highly proprietary code as well as actual malware on a daily basis. As a professional, I know the rules. That's why I didn't take it upon myself to disassemble or otherwise reverse the code knowing those rules.

Rest assured no copies were kept, no disclosures have or will be made beyond a directory listing and speculation, that's just how I operate regardless of whose code I examine. I'm of the age where "straight and narrow" is how we were brought up, so don't sweat it. Hopefully the vendors will get around to answering the questions.

And thanks for the compliment!

1328914268

Krypt3ia
Kevin, truly a gentleman there in contrast to Bobby's douchey-ness. I am not so inclined. Bobby, you need to just back off on the trolling responses. I know you are affiliated with Symantec so bugger off. You and Symantec are a failure presently. Learn from it and become better.
K.

1328915355

Kevin McAleavey
Thanks ... that's just how I roll. Doing the right thing is all I care about even if it bothers some. The behavior of some of the big vendors that so many depend on is the reason why I'm doing what I'm doing now.

1328915880

Bobby Mann
Here's an example of how easy it is to obtain. By your comments Kevin, I see you really don't understand how SecurID works. Think of it as three parts. An algorithm that is top secret, a seed and a randomly generated number. There is also an interface that is needed to the algorithm. What Symantec uses in pcAnywhere is all public. The customer supplies the connector (interface) to the SecurID system, and the end user supplies the randomly generated PIN via a fob, soft token, etc. So, in essence it makes absolutely NO DIFFERENCE WHATSOEVER that there is part of the RSA SDK in the pcA code, as it's PUBLIC an ANYONE can get it. Get it?
What really steams me is when articles are written with these headlines that make the reader PANIC or think there's a bigger problem and you faltly have not done ANY homework. Shame on you, and your buddy Krypto. Whatever that hadle means.
Shoddy article, and frankly it's just written to make a bigger mountain out of a mole hill.

Bobby Mann
Sorry Mike, I forgot, you prefer to give airtime to thieves and hackers..and wannabe journalists who do aboslutely no fact checking. You are correct, the first line does tell me something. It tells me the author is covering his ass and probably should have held onto his thoughts before publishing a pile of crap like that. I'll stand by by comments that this site is a collection of old geezers who band together to incite fear or spread propaganda. Write something useful. When 60 minutes does their story (and it's being worked on) you'll see what true journalism is all about.
Until then...

1328984510

Krypt3ia
Hey Booby,
I know you are probably following the thread and now cannot comment, but, I just have to say that your trolling is some of the most flaccid I have ever seen. That line about 60 Minutes was just hilarious!

I will check with my contact at 60 minutes though, they likely will get a chuckle out of it too.

Bobby ... are you responding on behalf of Symantec by any chance? Also not helping.

1329010604

Todd Leetham
I can provide you all with the answer from the EMC/RSA side. In a word, no. It was not related at all.

1329151162

Made Up
FYI RSA SecurID had been "reversed" over a decade ago... no need to go through PCAnyWhere to get this code... http://seclists.org/bugtraq/2001/Jan/293
The seeds are one needs, these are not easily obtained as they once were, and programs like Cain&Abel allow you to put in a seed file, the token's serial # and VIOLA! instant RSA token. This article is poor conjecture, I don't think anyone will need to set anything straight... your guess is not so good.

1329161826

Terry Perkins
Wow! I'm amazed at the responses. Good grief. Aren't you people professionals?

1329167979

Anthony M. Freed
Received an email from Symantec's Cris Paden on the issue which he said I was free to share:

“It’s typical in the software development industry for vendors to make available software development kits to ensure smooth interactivity between new software and existing programs or platforms. In this case, this represents no more than the client side libraries that are included in the publicly available SDK required to implement SecureID. Having said that, Symantec has investigated these claims and has confirmed there is not a link between the source code theft in 2006 and the RSA security breach in 2011. Anything beyond that is speculation and is not accurate.”

*This* is what I was hoping for, some official word that would answer the question. A number of my colleagues asked me if I knew the answer to this, apparently in response to a tweet from one of the "antisec" crew who believed that this was some sort of Rosette stone for "hacking" upon the announcement of the release.

To those who heaped scorn on the question, I fully understand and apologize for being the one who went and asked the question.

I still feel that it was a valid question to be raised, but with the law being what it is, I was unable to answer it for myself.

Thanks!!! :)

1329177811

Collective Grooves
@Krypt3ia I see you are at it again. - Seriously, do you offer anything of value when you post your comments?

You sound like a very bitter person who needs to respect the opinions of others and not attack someone because they don't agree with your opinions and values.

I don't know why you have it in for Symantec, nor do I really care, but if someone wants to defend them, then let them. Don't tell them to bugger off and comment that they are being douche.

This site used to have some very useful information from some respected people. Now as Bobby has put it, this site gives airtime to thieves, hackers and wannabe journalists.

Post from people like Krypt3ia offer nothing in terms of offering any insight and do not spark conversation, it only sparks

A good story/post/article/journalist would always present both sides of the story/argument and then let the reader make a decision. The posts that I see from Krypt3ia on this site only seem to contain one person's view or opinion. (His own)

Either this is done on purpose to spark comments and conversation or it is done out of being so narrow minded that their opinion is the only opinion that matters and everyone else has to agree with it or else. (I ran in to Krypt3ia on his blog site and at this point in time, I am leaning towards him being very narrow minded)

Krypt3ia, the internet has given you a voice which you previously did not have, don't waste your time and resources and other peoples time and resources by filling it with trash. Look at the bigger picture and offer two sides to the story to give people the opportunity to think rather than react.

Collective Grooves

1329202815

Laura Walker
Wow, that was a refreshingly positive post demonstrating the merits of professionalism over personal attack.

1329211485

Krypt3ia
Groove, It feels like it is you who have it in for me over the comments on Symantec I have made really. Let me put you straight on a few things.

First, I am not a journalist.

Second, my comments are just that, commentary which I have just as much a right to put out there as you do here and now.

Third, I made my comments on Symantec because I interface with it in an enterprise setting managing it and I find it mostly useless. It is not an implelentation issue, it is a root issue with the console and the system. I do not need to drag all of that out just to satisfy you so you won't chide me for being narrow minded or a meanie.

So, there you have it Collective, you commented much the same on my blog and I approved them for all to see. Had I been trying to censor your feelings then I would have deleted them or shouted you down, neither of which I did. As to not adding to dialogue, you mention the Symantec post alone, have you had this issue wiith other posts or are you just fixated with managiing Symantecs image here?

K.

1329219056

Collective Grooves
Krypt3ia I do not have it in for you personally. What I have found since this story broke is people such as yourself judging an entire organization for one product that they had some issues with. It pollutes the actual issue at hand with nonsense and does not offer any value whatsoever.

People such as yourself have gone out of their way to "comment" on how they hate the product or how useless it is, and turning a chance to add value to a serious story in to a witch hunt.

Specifically for this story, I believe Symantec have done well considering the circumstances. They have been forthcoming with information to their customers and have identified the steps needed to remidiate the situation.

Exactly how the source code got out there, we will never know the true story and we can only ever speculate. However given the code is a number of years old and newer versions have been developed, I do not see any heightened risk and am confident that customers using Symantec products will be protected and looked after by Symantec.

In my experience, the failure of a product in an environment has never been down to the product itself. I have found that it always comes down to the following:

- Poor Product Choice - The product was chosen for the environment without being 100% confident that it will meet its intended use. This is not the fault of the product, the features and functions are set out in black and white, it is matching the right product with the right use.

- Poor Architectural Design - Again this is a combination of the above and the architect not understanding the products capability's or understanding the issues which need to be solved.

- Poor Implementation - This can sometimes be the result of the above two points I have mentioned or it can be simply someone who does not have the experience with a product. Either way, it always ends badly and causes administrative headaches and overhead and leads to endless frustration.

- Poor Training - This I have found to be the cause of poor implementation. I have found that some administrators are either too proud to say that they need help and training because they don't want to be seen as being incapable. This is the fault of the organization that they work for as they do not generally have a career development program in place or they have a poor manager who does not understand that EVERYBODY has limitations.

I myself have never come across this with Symantec or any other product that I have implemented.

If I know what issues I need to address both current and future state and I understand the products capabilities both current and future state and the products that I evaluate meet and exceed my requirements. Then I look at the design and the implementation of the product with the assistance of the vendor to ensure that I am following best practices.

The easy part is training on the product to enable confidence in the use of the product and then a confident implementation follows naturally. (yes there will always be hiccups, but being confident in the product and the vendor ensure me that a good outcome is never too far away)

We as human beings tend to mock what we don't know or understand. It is human nature.

In your case if you have an issue with the product, then ensure that you involve the vendor to help get the issues resolved. Rather than mock them and tell the world how they suck or are useless give the vendor the opportunity to fix the issue and advise accordingly. Perhaps the product may not do what you are trying to achieve. If that is the case, find a product that can meet your requirements.

From a security perspective, you need to take a layered approach. You can not rely on a single layer to protect an environment. With your issue with Symantec Antivirus product and the increase of malware in your environment. I have found the simplest way to help reduce the spread of malware is to provide user training. Set up a workshop at lunch time for the employees, create an initiative with your manager or the CIO to help users better understand the dangers that lurk out there.

Non computer savvy people will open anything and everything because that's how they have been trained in the past. If you can help them understand the dangers that are lurking behind some emails and some webpages then you can potentially help reduce the spread of malware within your environment. They will then take that good practice home and it will end up becoming second nature. A good mail and web security product also adds that second layer of protection.

At the end of the day, an antivirus product should be the LAST line in your defense. Your Firewall, Mail & Web Security, User training should be at the higher layers of your defense strategy. Your users are your strongest and your weakest link. Help them help you.

Now that I have rambled on for some time, I will address the reason why I am following Symantec code leak story so diligently.

I am specifically following this for business and personal reasons.

From a business perspective, it does concern me that so many high profile organizations are being targeted. Only yesterday there was a post on Infosec Island saying that Intel was breached. From this information, I look to see what I can do to better protect the information that is stored in my companies environment.

I have resigned to the fact it is almost impossible to stop a breach/hack from occurring. It is my job to advise on how we can mitigate the risk even further to make it as hard as possible for hackers to breach my environment.

From a personal perspective, I mentioned this on your blog. I am looking at the bigger picture and the worst case scenario. The bigger picture is (according to the information on the internet) the Indian Military was hacked. Now as state based hacking has increased over the years (depending on who you believe) what does this mean for us the end user?

Are these hackers associated with terrorist organizations? Call me melodramatic, but what world are we living in where now everybody wants to stab everybody in the back? Why are people so consumed with chasing money and fame?

Hypothetically speaking, say that source code is not the only thing they took, what is they took information pertaining to nuclear facilities. Given that there is news that these hackers tried to extort money (depending on who you believe). Who is to say that they wont sell this information to a terrorist organization. So that is one side of the story ff that's not the case and no money was ever going to change hands, what is their motive. In this instance the motive for this hack has not been made clear. What are they trying to achieve?, what are they trying to prove?

These are the questions I want to try and answer. What I don't want is people polluting the story with their own agenda because they don't like a product or a particular vendor.

From here on I wont be making any further comments. I think I have said my piece and I don't think I could add any further value to this conversation. Out of all of this, I hope your blogs and your comments are less one sided and you are open to looking at the broader landscape rather than focusing on negative experiences.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.